King Pang wrote:
Hello,
Our company developers Microsoft Solutions and I am responsible for
leading the security initiative in the corporation. I have spent a
lot of time and effort on how we should apply security guidance to our
product life cycle, such as adding threat modeling and doing security
review. But after I have convinced them that security is important,
we brought up a discussion on how we should charge our customers.
Many of you have customer experience. They want to pay the minimum
and have all the features. If they can choose not to pay, they won't.
Cheap, fast, good. Pick any two.
If we tell them threat modeling will add x human-weeks of development
and we have to charge them x thousand dollars more, they won't pay.
Then don't tell them. Just let them know you've invested lots of time
and energy into making your product as safe and secure as is humanly
possible, and show them only the price that includes that development time.
Moreover, they expect the system to be secure enough and if there is
anything wrong, they would think that is our fault.
And rightly so. You are the developing party, and it's your
responsibility to make sure the software you create is working as
intended. Security flaws are just extra spicy bugs after all.
If any of you have any experience on dealing security with customers
and how you would deal with this issue, please throw in two cents. Any
comments or related articles would help too.
Just apply what security measures are reasonable and don't tell the
customers that 20% of the price could have been cut right out if you
hadn't done it. Your marketing department will be much happier promoting
a solid product that costs a little more than telling all your customers
"sorry for the price, but we had to do a little security audit as well".
I'm sure they'll be able to concoct all sorts of nice euphemistical
circumscriptions to accompany the pricelist.
Warm Regards.
/exon
